[CentOS] Optimizing CentOS for gigabit firewall

Sun Dec 20 15:50:53 UTC 2009
Chan Chung Hang Christopher <christopher.chan at bradbury.edu.hk>

Peter Serwe wrote:
> I'll second damn near everything nate said, and hopefully add a tidbit or
> two.
> 
> If you're new to BSD, you may want to consider the pfsense project in the
> aforementioned active-active configuration.
> 
> It gives you a nice, intuitive gui to manage your failover firewalls, if you
> insist on putting a firewall in front of your web servers.
> 
> Better to secure the box, leave only the ports you need open on the public
> interfaces, and don't firewall them.
> 
> Also, I'd strongly consider running your firewalls with no disk at all.  A
> Live CD, CF card or USB Flash to boot off of, remote syslog and
> one less subsystem (disks) to buy/fail makes for some mighty cheap 1U
> servers.  A single dual-core with core speeds above 3.0Ghz
> and 4GB of RAM is to pass Gb @ line rate - ethernet overhead.  Truth be
> told, it's already being done on much less

/me going to try to get a diskless OpenBSD setup again.

> than that.  You can also load balance your traffic, albiet somewhat
> primitively with it.  If you really want massive throughput, consider toying
> around with extremely expensive 10G gear, size RAM appropriately, and see
> how PF performs under multi-processor, high-core speed.
> but if you're handling over a Gb of traffic and you can't split the
> application into multiple farms, that's the best move.
> 

That part about high-core speed for OpenBSD pf is definitely on. The 
multi-processor part...not too sure. Maybe with NUMA systems like what 
you get on AMD Opteron platforms.